Computer Security: Principles and Practice - BME

Computer Security: Principles and Practice

Chapter 4 ? Access Control

First Edition by William Stallings and Lawrie Brown

Access Control

"The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner"

central element of computer security an access control policy

defines who (e.g., user, user group, process, etc.) can access what (system resources such as files, channels, services, etc.), in which manner (e.g., read, write, execute, etc.), and under what circumstences (e.g., time, location, history, etc.)

access control enforcement system components that ensure that the system operates in compliance with the access control policy it should be impossible to circumvent the access control enforcement function examples: firewalls, OS reference monitor

General Model of Access Control

access control policy

access control enforcement

Types of Access Control Policies

Discretionary access control (DAC) based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do with the protected resources

Mandatory access control (MAC) based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources)

Role-based access control (RBAC) based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles

Basic Elements of AC

subject - entity that can access objects

e.g., a user, user group, or a process representing a user

object - access controlled resource

e.g. files, directories, records, programs, etc.

access right - way in which subject accesses an object

e.g. read, write, execute, delete, create, search

Discretionary Access Control

often represented in terms of an access matrix

lists subjects in one dimension (rows) lists objects in the other dimension (columns) each entry specifies access rights of the specified subject

to that object

the access matrix is often sparse can be decomposed by either row (credentials) or

column (access control lists) another efficient representation is the authorization

table, which contains (subject, object, access right) triplets

can be sorted (indexed) either by subject (? credentials) or by objects (? ACLs)

Decomposition of an AC Matrix

A more general DAC model

(Lampson, Graham, Denning)

subjects are allowed to alter the protection state (represented by the AC matrix) copy flag ? transfer of the given access right to another subject (w/o copy flag) owner ? can grant any access right on the given object control ? can delete access rights assigned to the given subject

Allowed commands for S0

transfer a/a* to (S, X)

precondition: (S0, X) contains a*

grant a/a* to (S, X)

precondition: (S0, X) contains "owner"

delete a/a* from (S, X)

precondition: (S0, X) contains "owner" or (S0, S) contains "control"

create object X

S0 becomes owner of X

destroy object X

precondition: (S0, X) contains "owner"

create subject S

S0 becomes "owner" of and has "control" on S

destroy subject S

precondition: (S0, S) contains "owner"

Example: UNIX File Access Control

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download